#32718: [3.2.1] Issue with assigning file to FileField
-------------------------------------+-------------------------------------
Reporter: Jakub Kleň | Owner: nobody
Type: Bug | Status: new
Component: Database layer | Version: 2.2
(models, ORM) |
Severity: Release blocker | Resolution:
Keywords: 3.2.1 file model | Triage Stage: Accepted
filefield fieldfile |
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by carderm):
Replying to [comment:14 Florian Apolloner]:
> Replying to [ticket:32718 Jakub Kleň]:
> > Correct me if I'm wrong, but file-like objects always contain the full
path to the file in the `name` attribute (the built-in Django `File` class
even uses it to reopen the file if it was closed), and so it seems to be a
bug in Django itself.
>
> This is true, but according to my tests on earlier versions a full
(absolute) path did fail already because it would usually be outside the
MEDIA_ROOT. Can you provide some more details?
I believe an absolute path outside of Media Root should fail, that is
correct (in my opinion) - as an **absolute** path might be able to write
shell scripts around the file system...
It should however, work for a **relative** file path.
**Hack example here**
{{{
# Some model
class FileModel(models.Model):
file_field = models.FileField(_('UsersFile'), storage='users',
max_length=1000)
model_inst = FileModel()
# Add some file
new_file = ContentFile(some_file.read())
new_file.name = f"{user.name}/file.txt" # E.g. "steve/file.txt" <<<
This file should only be for 'steve'
model_inst.file = new_file
# Save the Model
model_inst.save() #<<< in Django 3.2.0 this creates file
"MEDIA_ROOT/users/steve/file.txt ! which is correct
model_inst.save() #<<< in Django 3.2.1 this FAILS with Path issue !
Incorrect
model_inst.save() #<<< in Django Latest Git commit will create
"MDEIA_ROOT/users/file.txt ! which is incorrect - missing path!
# What we need to stop:
bad_file = ContentFile(malicious_script.read())
bad_file.name = "/etc/init.d/nameofscript.sh"
# or
bad_file.name = "../../../../../usr/local/lib/bad.file"
model_inst.file = bad_file
# On Save we need to protect here - imho
model_inst.save() # <<< This *should Fail* with Security Error
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32718#comment:22>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.3394b579097b7843dae73adfa6c38c93%40djangoproject.com.
